Addressing threats to health care's core values, especially those stemming from concentration and abuse of power. Advocating for accountability, integrity, transparency, honesty and ethics in leadership and governance of health care.

Thursday, February 04, 2010

Networked, Interoperable, Secure National Medical Records a Castle in the Sky?

The holy grail of electronic medical record efforts of late is the creation of networked, interoperable, secure national medical records that would allow a physician in Palo Alto to retrieve the records of a patient from Hoboken if that patient moved or was found (in the hackneyed and somewhat histrionic scenario) unconscious on the streets of San Francisco.

Recent events have made me skeptical we are anywhere near ready for such a technological accomplishment:

At the World Economic Forum Annual Meeting in Switzerland, McAfee announced the results of a survey of 600 IT security execs in "critical infrastructure enterprises worldwide": that is, in places such as utility companies, banks, and even oil refineries. And apparently, they're constantly under cyber attack and also extortion related to those attacks.

It's a real battlefield out there.

The report, written by the Center for Strategic and International Studies (CSIS), says that 54 percent of those surveyed have already been attacked. The culprits behind the cyber-attacks are listed as "organized crime-gangs, terrorists, or nation-states."

In other words, not simply teenage hackers or cyber-papparazi interested in the medical condition of a movie star.

Only one-fifth of the IT execs surveyed believe their systems are currently secure. One-third say things are worse now, vulnerability-wise, than a year ago, due to budget cuts.

What constitutes a cyber attack? A distributed denial of service (DDoS) is the most typical ... mitigation can be hampered by the local laws, working in multiple countries, or the economics of where they operate. For example, half of those surveyed claim the laws in their countries don't do enough to prevent or deter cyber attacks. That's especially true for Russia, Mexico, and Brazil.

Other attack vectors include DNS poisoning where Web traffic is redirected, SQL injection attacks on back-end data via a public Web site, and plain old theft of services.

If you need a plot for your new thriller novel, keep in mind that 20 percent of these companies are not just cyber-attacked, but have also been threatened with attacks in the last two years in "low-level extortion" attempts.

... Those surveyed said the money loss is the worst part, second is the loss of reputation, and (if you thought you weren't important) loss of customers' personal information is third.

This is a worldwide survey, and almost two-thirds of those surveyed believe foreign governments were responsible in some way for previous attacks. The two countries considering the biggest threats: China (by 33 percent of those surveyed) and the good ol' U.S. of A. (by 36 percent). China believes it's the biggest target.

The attacks targeted Google source code -- the programming language underlying Google applications -- and extended to more than 30 other large tech, defense, energy, financial and media companies. The Gmail accounts of human rights activists in Europe, China and the United States were also compromised.

The United States is at risk of a crippling cyber attack that could "wreak havoc" on the country, Director of National Intelligence Dennis Blair said.

"What we don't quite understand as seriously as we should is the extent of malicious cyberactivity that grows, that is growing now at unprecedented rates, extraordinary sophistication," Blair said.

... He said one critical "factor" is that more and more foreign companies are supplying software and hardware for government and private sector networks. "This increases the potential for subversion of the information in ... those systems," Blair said. [Outsourcing our HIT development overseas sounds like a great idea - ed.]

Read the linked articles in their entirety.

Perhaps we should focus on the local at present. National networked EMR's are a great concept, but there are a few social-technical details that remain to be worked out beforehand.

3 comments:

Obviously, security is a complex activity that extends beyond just technology. However, many of the problems listed above, such as DDOS, DNS Cache poisoning, etc are so widespread because they exploit the "childlike innocence with regard to strangers" that is a fundamental part of the early internet design, where connectivity, not security was a major factor. So much of the current TCP/IP architecture dates back to the 1970s. I'm curious what fraction of current problems will be eliminated once IPV6 is implemented.

So much of the current TCP/IP architecture dates back to the 1970s. I'm curious what fraction of current problems will be eliminated once IPV6 is implemented.

We will find out (we can't know this with certainty beforehand -- cf. Social Informatics research on unintended consequences of any new information & communications technology). However, I am certain that utilizing patients as test subjects in our explorations is not a prudent approach.

Contact Us

Email: info at firmfound dot org
or go to the web-site for FIRM - the Foundation for Integrity and Responsibility in Medicine

More About FIRM and Health Care Renewal

FIRM - the Foundation for Integrity and Responsibility in Medicine is a 501(c)3 that researches problems with leadership and governance in health care that threaten core values, and disseminates our findings to physicians, health care researchers and policy-makers, and the public at large. FIRM advocates representative, transparent, accountable and ethical health care governance, and hopes to empower health care professionals and patients to promote better health care leadership.

FIRM depends on contributions from individuals and non-profit organizations. FIRM does not accept any direct support from for-profit health care corporations.

FIRM welcomes support from individuals and non-profit organizations. If you are interested in donating to FIRM, please email info at firmfound dot org, snail mail us at 16 Cutler St, Suite 104, Warren, RI, 02885, USA, or see our web-site.

Subscribe To Health Care Renewal

Policies: Blog Roll and Comments

Our blogroll is meant to include blogs that provide interesting content relevant to what we write. It is not an endorsement in any way of any specific blog.

We accept comments, especially from registered Blogger users. If you do not wish to register with Blogger, we will accept anonymous comments, although prefer that they contain identification of the commenter.

We encourage thoughtful comments relevant to the issues brought up by the posts on Health Care Renewal.

All comments are moderated. We will reject spam, profanity, advertising of products or services not directly related to the content of this blog.

We will reject any unsubstantiated accusations or allegations.

Nonetheless, all comments represent only the opinions of those making them. The appearance of comments does not imply endorsement by the Health Care Renewal bloggers.

Please email general comments about the blog, other concerns, or questions to info AT firmfound DOT org